US11496496B2ActiveUtilityA1

Method and system for user plane traffic characteristics and network security

63
Assignee: BLACKBERRY LTDPriority: Aug 31, 2017Filed: Apr 28, 2020Granted: Nov 8, 2022
Est. expiryAug 31, 2037(~11.1 yrs left)· nominal 20-yr term from priority
H04L 41/069H04L 63/1425H04L 43/0876H04L 63/20H04L 67/535H04L 63/1408H04L 43/16H04W 12/033H04W 12/60H04W 12/12H04L 63/0263H04L 43/062
63
PatentIndex Score
0
Cited by
30
References
27
Claims

Abstract

A method at a network element for monitoring user plane traffic for a user equipment, the method including configuring a set of characteristics and a range of values for each of the set of characteristics for user plane traffic between the user equipment and the network element; monitoring user plane traffic for the user equipment at the network element, the monitoring determining whether at least one characteristic of the user plane traffic falls outside of the configured range of a values, resulting in a characteristic violation; and if the at least one characteristic of the user plane traffic falls outside the configured range of a values, performing an action resulting from the characteristic violation.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method at a user equipment, the method comprising:
 sending, from the user equipment to a network element, a set of characteristics and a range of values for each of the set of characteristics for user plane traffic between the user equipment and the network element; 
 transmitting user plane traffic to the network element; 
 when at least one characteristic of the user plane traffic falls outside of the range of values, receiving a network action and performing at least one of: 
 receiving a secure message from the network element containing information associated with a characteristic violation based on the at least one characteristic of the user plane traffic falling outside of the range of values; 
 performing a connection re-establishment by having a procedure performed on the user equipment that promotes the user equipment to perform a new network registration procedure, and further by performing the new network registration procedure from the user equipment; 
 triggering an authentication procedure at the user equipment; and 
 turning on at least one of encryption or integrity protection; 
 wherein the sending is performed during the new network registration procedure between the user equipment and the network element. 
 
     
     
       2. The method of  claim 1 , wherein the user plane traffic is transmitted without at least one of integrity and encryption protection. 
     
     
       3. The method of  claim 1 , wherein the set of characteristics include at least one characteristic selected from the group comprising: the user equipment location; traffic volume to or from the user equipment; time of day for traffic for the user equipment; number of connections to the user equipment; duration of a session at the user equipment; a maximum number of data packets sent during a time period from the user equipment; a datatype for packets from the user equipment; a destination address for packets from the user equipment; and a permitted subscription usage for the user equipment. 
     
     
       4. The method of  claim 1 , wherein the network action and performing comprises receiving a secure message at the user equipment containing information associated with the characteristic violation. 
     
     
       5. The method of  claim 1 , wherein the network action and performing comprises performing a connection re-establishment by having a procedure performed on the user equipment that promotes the user equipment to perform a new network registration procedure and further by performing a network registration procedure from the user equipment. 
     
     
       6. The method of  claim 1 , wherein the network action and performing triggers an authentication procedure at the user equipment. 
     
     
       7. The method of  claim 2 , wherein the network action and performing comprises turning on at least one of encryption or integrity protection. 
     
     
       8. The method of  claim 1 , wherein the new network registration procedure enables the user equipment to send and receive communication signals. 
     
     
       9. The method of  claim 1 , wherein the new network registration procedure comprises an ATTACH procedure. 
     
     
       10. The method of  claim 1 , wherein the procedure performed on the user equipment that promotes the user equipment to perform the new network registration procedure is a DETACH procedure. 
     
     
       11. A user equipment comprising:
 a processor; 
 a communications subsystem, and 
 a memory; 
 wherein the processor, the communications subsystem, and the memory cooperate to: 
 send, from the user equipment to a network element, a set of characteristics and a range of values for each of the set of characteristics for user plane traffic between the user equipment and the network element; 
 transmit user plane traffic to the network element; 
 when at least one characteristic of the user plane traffic falls outside of the range of values, receive a network action and perform at least one of: 
 receive a secure message from the network element containing information associated with a characteristic violation based on the at least one characteristic of the user plane traffic falling outside of the range of values; 
 perform a connection re-establishment by having a procedure performed on the user equipment that promotes the user equipment to perform a new network registration procedure and further by performing the new network registration procedure from the user equipment; 
 trigger an authentication procedure at the user equipment; and 
 turn on at least one of encryption or integrity protection; 
 wherein the sending is performed during the new network registration procedure between the user equipment and the network element. 
 
     
     
       12. The user equipment of  claim 11 , wherein the user plane traffic is transmitted without integrity or encryption protection. 
     
     
       13. The user equipment of  claim 11 , wherein the set of characteristics include at least one characteristic selected from the group comprising: the user equipment location; traffic volume to or from the user equipment; time of day for traffic for the user equipment; number of connections to the user equipment; duration of a session at the user equipment; a maximum number of data packets sent during a time period from the user equipment; a datatype for packets from the user equipment; a destination address for packets from the user equipment; and a permitted subscription usage for the user equipment. 
     
     
       14. The user equipment of  claim 11 , wherein the user equipment is configured to perform, based on receiving the network action, receiving a secure message at the user equipment containing information associated with the characteristic violation. 
     
     
       15. The user equipment of  claim 11 , wherein the user equipment is configured to perform, based on receiving the network action, a connection re-establishment by having a procedure performed on the user equipment that promotes the user equipment to perform a new network registration procedure and further by performing a network registration procedure from the user equipment. 
     
     
       16. The network element of  claim 11 , wherein the user equipment is configured to perform, based on receiving the network action, an authentication procedure for the user equipment. 
     
     
       17. The network element of  claim 12 , wherein the user equipment is configured to perform, based on receiving the network action, turning on at least one of encryption or integrity protection. 
     
     
       18. The user equipment of  claim 11 , wherein the new network registration procedure enables the user equipment to send and receive communication signals. 
     
     
       19. The user equipment of  claim 11 , wherein the new network registration procedure comprises an ATTACH procedure. 
     
     
       20. The user equipment of  claim 11 , wherein the procedure performed on the user equipment that promotes the user equipment to perform the new network registration procedure is a DETACH procedure. 
     
     
       21. A non-transitory computer readable medium for storing program instructions, which when executed by a processor of a user equipment cause the user equipment to:
 send, from the user equipment to a network element, a set of characteristics and a range of values for each of the set of characteristics for user plane traffic between the user equipment and the network element; 
 transmit user plane traffic to the network element; 
 when at least one characteristic of the user plane traffic falls outside of the range of values, receive a network action and perform at least one of: 
 receive a secure message from the network element containing information associated with a characteristic violation based on the at least one characteristic of the user plane traffic falling outside of the range of values; 
 perform a connection re-establishment by having a procedure performed on the user equipment that promotes the user equipment to perform a new network registration procedure and further by performing the new network registration procedure from the user equipment; 
 trigger an authentication procedure at the user equipment; and 
 turn on at least one of encryption or integrity protection; 
 wherein the sending is performed during the new network registration procedure between the user equipment and the network element. 
 
     
     
       22. The non-transitory computer readable medium of  claim 21 , wherein the user plane traffic is transmitted without integrity or encryption protection. 
     
     
       23. The non-transitory computer readable medium of  claim 21 , wherein the set of characteristics include at least one characteristic selected from the group comprising: the user equipment location; traffic volume to or from the user equipment; time of day for traffic for the user equipment; number of connections to the user equipment; duration of a session at the user equipment; a maximum number of data packets sent during a time period from the user equipment; a datatype for packets from the user equipment; a destination address for packets from the user equipment; and a permitted subscription usage for the user equipment. 
     
     
       24. The non-transitory computer readable medium of  claim 21 , wherein the user equipment is caused to perform, based on receiving the network action, receiving a secure message at the user equipment containing information associated with the characteristic violation. 
     
     
       25. The non-transitory computer readable medium of  claim 21 , wherein the user equipment is caused to perform, based on receiving the network action, a connection re-establishment by having a procedure performed on the user equipment that promotes the user equipment to perform a new network registration procedure and further by performing a network registration procedure from the user equipment. 
     
     
       26. The non-transitory computer readable medium of  claim 21 , wherein the user equipment is caused to perform, based on receiving the network action, an authentication procedure for the user equipment. 
     
     
       27. The non-transitory computer readable medium of  claim 22 , wherein the user equipment is caused to perform, based on receiving the network action, turning on at least one of encryption or integrity protection.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.